Skip to content

feat: add CI workflow for linting#165

Merged
gnaponie merged 1 commit into
mainfrom
aipcc-16634/github-action
Jul 1, 2026
Merged

feat: add CI workflow for linting#165
gnaponie merged 1 commit into
mainfrom
aipcc-16634/github-action

Conversation

@rishupk

@rishupk rishupk commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Summary

Adds a CI workflow that runs linting on PRs and pushes to main. Covers shell scripts (ShellCheck), YAML (yamllint), and the Containerfile (hadolint). Also fixes existing lint issues in entrypoint.sh, cli/claudio, and the Containerfile.

AIPCC-16634

Test plan

  • CI runs green on this PR

Co-Authored-By: Claude noreply@anthropic.com
Signed-off-by: Rishabh Kothari rkothari@redhat.com

Summary by CodeRabbit

  • Chores
    • Added CI workflow running ShellCheck, YAML linting, and containerfile linting on pushes and pull requests to the main branch.
    • Added/updated linting configurations for consistent formatting and rule behavior.
  • Bug Fixes
    • Improved the CLI wrapper’s environment loading and quoting for safer handling of paths and config files.
    • Hardened the container build process with better cache cleanup and safer shell execution settings.

@coderabbitai

coderabbitai Bot commented Jun 30, 2026

Copy link
Copy Markdown

Review Change Stack

Warning

Review limit reached

@rishupk, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 55 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 982f0027-c9c1-412e-8c5b-7da488c6c314

📥 Commits

Reviewing files that changed from the base of the PR and between 71afa63 and 9215261.

📒 Files selected for processing (6)
  • .github/workflows/ci.yml
  • .hadolint.yaml
  • .yamllint.yml
  • Containerfile
  • cli/claudio
  • entrypoint.sh
📝 Walkthrough

Walkthrough

Adds a CI workflow for shellcheck, yamllint, and hadolint, adds lint configs, and adjusts Containerfile and shell scripts for cleaner package cleanup, quoting, and shellcheck compatibility.

Changes

CI Linting and Shell Hardening

Layer / File(s) Summary
CI workflow and lint configs
.github/workflows/ci.yml, .yamllint.yml, .hadolint.yaml
Adds CI jobs for shellcheck, yamllint, and hadolint, plus the supporting lint configuration files.
Containerfile cleanup and shell settings
Containerfile
Combines package cleanup and user creation into install layers and adds bash pipefail for later RUN commands.
cli wrapper and entrypoint shell fixes
cli/claudio, entrypoint.sh
Quotes env-file sourcing and mount paths in the wrapper, and adds shellcheck suppression around the entrypoint signal handler.

Estimated code review effort: 2 (Simple) | ~10 minutes

Possibly related PRs

  • aipcc-cicd/claudio#140: Both PRs modify the cli/claudio wrapper script—specifically the wrapper’s handling of loading ~/.config/claudio/.env and constructing the podman run volume/mount arguments—so the changes are related at the code level.

Suggested reviewers: gnaponie, ppitonak

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly and concisely summarizes the main change: adding a CI workflow for linting.
Docstring Coverage ✅ Passed Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch aipcc-16634/github-action

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@rishupk rishupk force-pushed the aipcc-16634/github-action branch 2 times, most recently from 9656a04 to a341d99 Compare June 30, 2026 09:48
@rishupk rishupk changed the title feat: add GitHub Action for running Claudio feat: add CI workflow for linting Jun 30, 2026
@rishupk rishupk force-pushed the aipcc-16634/github-action branch 5 times, most recently from 5a3f8a6 to 3221170 Compare June 30, 2026 11:35
@rishupk rishupk marked this pull request as ready for review July 1, 2026 07:54
@rishupk rishupk requested a review from gnaponie July 1, 2026 07:54
@rishupk rishupk force-pushed the aipcc-16634/github-action branch from 3221170 to cdddfd1 Compare July 1, 2026 08:00

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
.github/workflows/ci.yml (1)

1-38: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Add explicit least-privilege permissions and disable credential persistence.

Static analysis flags default (unset) permissions and unset persist-credentials on all three checkout steps. Since these jobs only run linters and never need to write to the repo or persist git credentials, tightening this reduces the blast radius if a linter action is ever compromised.

🔒 Proposed hardening
 name: CI
 
 on:
   push:
     branches: [ main ]
   pull_request:
     branches: [ main ]
 
+permissions:
+  contents: read
+
 jobs:
   shellcheck:
     name: ShellCheck
     runs-on: ubuntu-24.04
     steps:
     - uses: actions/checkout@v6
+      with:
+        persist-credentials: false
 
     - name: Run ShellCheck
       run: shellcheck entrypoint.sh scripts/pt-manager.sh cli/claudio
 
   yaml-lint:
     name: YAML lint
     runs-on: ubuntu-24.04
     steps:
     - uses: actions/checkout@v6
+      with:
+        persist-credentials: false
 
     - name: Run yamllint
       run: yamllint -c .yamllint.yml .github/workflows/*.yml integrations/gitlab-ci/claudio.yml
 
   hadolint:
     name: Hadolint
     runs-on: ubuntu-24.04
     steps:
     - uses: actions/checkout@v6
+      with:
+        persist-credentials: false
 
     - name: Run hadolint
       uses: hadolint/hadolint-action@v3.1.0
       with:
         dockerfile: Containerfile
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml around lines 1 - 38, The CI workflow is relying on
default GitHub token permissions and the checkout steps still persist
credentials, which is broader than needed for lint-only jobs. Update the
workflow jobs named shellcheck, yaml-lint, and hadolint to set explicit
least-privilege permissions, and change each actions/checkout@v6 step to disable
credential persistence. Keep the existing lint commands and job structure
unchanged while tightening the security settings around checkout.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/workflows/ci.yml:
- Around line 1-38: The CI workflow is relying on default GitHub token
permissions and the checkout steps still persist credentials, which is broader
than needed for lint-only jobs. Update the workflow jobs named shellcheck,
yaml-lint, and hadolint to set explicit least-privilege permissions, and change
each actions/checkout@v6 step to disable credential persistence. Keep the
existing lint commands and job structure unchanged while tightening the security
settings around checkout.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 259ae236-5837-4608-b358-f71617156191

📥 Commits

Reviewing files that changed from the base of the PR and between 0073089 and 3221170.

📒 Files selected for processing (6)
  • .github/workflows/ci.yml
  • .hadolint.yaml
  • .yamllint.yml
  • Containerfile
  • cli/claudio
  • entrypoint.sh

@rishupk rishupk force-pushed the aipcc-16634/github-action branch 2 times, most recently from ddb2c2e to 0ab2144 Compare July 1, 2026 08:03
Comment thread .github/workflows/ci.yml Outdated
Comment thread .github/workflows/ci.yml
@rishupk rishupk force-pushed the aipcc-16634/github-action branch from 0ab2144 to 71afa63 Compare July 1, 2026 10:34

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (2)
.github/workflows/ci.yml (2)

14-14: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Set persist-credentials: false on checkout steps.

None of these lint jobs push or need the checked-out git credential afterward; leaving it persisted is unnecessary credential exposure risk flagged by zizmor (artipacked).

🔒 Suggested fix (apply to all three checkout steps)
-    - uses: actions/checkout@v7
+    - uses: actions/checkout@v7
+      with:
+        persist-credentials: false

Also applies to: 23-23, 37-37

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml at line 14, The checkout steps in the CI workflow
are persisting git credentials unnecessarily, which creates avoidable exposure
risk. Update each `actions/checkout` usage in the workflow to set
`persist-credentials: false`, including the checkout step near the lint jobs and
the other two checkout steps referenced in the review, so the jobs still fetch
code without leaving credentials available afterward.

Source: Linters/SAST tools


1-43: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Add explicit least-privilege permissions: block.

No permissions: block is set, so jobs default to the (potentially broad) repo-configured GITHUB_TOKEN permissions. These jobs only run linters against checked-out code and don't need write access.

🔒 Suggested fix
 name: CI
 
+permissions:
+  contents: read
+
 on:
   push:
     branches: [ main ]
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml around lines 1 - 43, Add an explicit
least-privilege permissions block to the CI workflow so the default GITHUB_TOKEN
is not broader than needed. Update the workflow-level configuration in the CI
file and set permissions for the ShellCheck, YAML lint, and Hadolint jobs to
read-only access only, since these jobs only check out code and run linters. Use
the existing job names and the top-level workflow structure to place the new
permissions block cleanly.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/workflows/ci.yml:
- Line 14: The checkout steps in the CI workflow are persisting git credentials
unnecessarily, which creates avoidable exposure risk. Update each
`actions/checkout` usage in the workflow to set `persist-credentials: false`,
including the checkout step near the lint jobs and the other two checkout steps
referenced in the review, so the jobs still fetch code without leaving
credentials available afterward.
- Around line 1-43: Add an explicit least-privilege permissions block to the CI
workflow so the default GITHUB_TOKEN is not broader than needed. Update the
workflow-level configuration in the CI file and set permissions for the
ShellCheck, YAML lint, and Hadolint jobs to read-only access only, since these
jobs only check out code and run linters. Use the existing job names and the
top-level workflow structure to place the new permissions block cleanly.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: f7d308c5-f153-4117-88f3-e5b894c8c85e

📥 Commits

Reviewing files that changed from the base of the PR and between 3221170 and 71afa63.

📒 Files selected for processing (6)
  • .github/workflows/ci.yml
  • .hadolint.yaml
  • .yamllint.yml
  • Containerfile
  • cli/claudio
  • entrypoint.sh
✅ Files skipped from review due to trivial changes (4)
  • .hadolint.yaml
  • .yamllint.yml
  • cli/claudio
  • entrypoint.sh
🚧 Files skipped from review as they are similar to previous changes (1)
  • Containerfile

AIPCC-16634

- Add CI workflow with ShellCheck, ruff, yamllint, and hadolint
- Add yamllint config matching existing YAML conventions
- Fix shellcheck warnings in cli/claudio and entrypoint.sh
- Fix hadolint warnings in Containerfile (dnf clean all, pipefail)

Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: Rishabh Kothari <rkothari@redhat.com>
@rishupk rishupk force-pushed the aipcc-16634/github-action branch from 71afa63 to 9215261 Compare July 1, 2026 10:39
@gnaponie gnaponie merged commit 5ea6de6 into main Jul 1, 2026
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants